C

Auditors Guide to IT Auditing, Second Edition

By Richard E. Cascarino
Copyright 2012 by Richard E. Cascarino

APPENDIX C

Logical Access-Control
Audit Program

Questions Yes No N/A COMMENTS

The widespread use of communications networks has shown
that physical controls provide limited value in protecting
the data stored on and processed by the computer. Logical
controls restrict access to specific systems to authorized
individuals and to the functions each individual can
perform on the system. Logical security controls enable the
organization to:
Identify individual users of IT data and resources.
Restrict access to specific data or resources.
Produce audit trails of system and user activity.
Audit Procedures:
Each type of software has an access path. Access paths are
those areas or points where access may be gained to the
system. When accessing the computer system, a user may
pass through one of multiple software levels before obtaining
access to the data resources (e.g., data, program libraries, etc.).
a) Review all possible access paths to the data resources
to determine that the security features in each piece of
software are utilized to minimize the vulnerabilities. Pay
specific attention to backdoor methods of accessing data
by operators and programmers.
b) Interview management and review documentation to
determine if integrated access-control software is used to
streamline security administration and improve security
effectiveness.

393

bapp03.indd 393 1/31/2012 9:35:45 AM

 394 Appendix C

Questions Yes No N/A COMMENTS

c) Control points are those areas on the softwares access
path that may be used to control and protect data
resources. An access-path schematic identifies the users of
the system, the type of device from which they
access the system, the software used to access the system,
the resources they may access, the system on which these
resources reside, and the modes of operation
and telecommunications paths. The goal of the access path
schematic is to assist in the identification of all the control
points that could be used to protect the data stored on the
system. Review control points for the application to assess
their propriety.
d) Identification is the process of distinguishing one user from
all others. Authentication is the process of determining
whether individuals are who they say they are.
Passwords are used to control access to the computer
environment. While passwords are widely used for
authentication, they are not conclusive identifiers of
specific individuals because they may be guessed, copied,
overheard, recorded, and played back. If authentication
is achieved by use of passwords, review the procedures,
observe the operations, and interview user staff to ensure
that:
Passwords are controlled by the owner.
Passwords are changed periodically; the more sensitive the
data or the function, the more frequent the changes.
Passwords are not displayed when they are entered.
Minimum character length is set for the passwords.
Use of names, words, or old passwords are prohibited.
Users of data and resources are uniquely identified. It is not
advisable to use group IDs or passwords.
If authentication is achieved by possession of identification
devices such as ID cards, access cards, keys, and so on,
review the devices and observe the operations to evaluate
the effectiveness of this method.
Authentication of individuals by physical or behavioral
characteristics is also known as a biometric technology.
This is an automated method of verifying or recognizing the
identity of a person based on physiological or behavioral
characteristics. Biometric devices include fingerprints, retina
patterns, hand geometry, speech patterns, and keystroke
dynamics. If this authentication method is used, review
the devices and observe the operations to evaluate the
effectiveness of this means.

bapp03.indd 394 1/31/2012 9:35:45 AM

 Logical Access-Control Audit Program  395

Questions Yes No N/A COMMENTS

Access-control software allows the identification and
authentication of users, the control of access to information
resources, and the recording of security-related events and
data. Access-control software is important in enforcing
the change control process through the segregation of
development, testing, and production environments. Many
types of software contain features that are designed or
may be used to provide security. It is preferable to use
access-control software to secure the total environment or
to complement the features provided by specific software.
Access-control software provides comprehensive and
coordinated security.
a) When security software is initially installed, the protected
resources, authorized-user identifiers, and passwords must
be identified or defined to that software. Security profiles
may include user or resource passwords used to control
access to specific program functions of data files. Review
the security tables to determine that they are encrypted.
b) Each user can be assigned a scope of access, and each
resource a degree of protection. Resources that should be
protected from unauthorized access include:
Application systems program libraries.
System software program libraries.
Data files and databases.
Job-execution-language statement libraries.
Selected processing functions (modules) of applications
programs.
Sensitive utilities that can bypass normal security
controls
Data dictionary files and programs.
Review the access rules for all the resources that should
be protected to evaluate their propriety.
c) Review responses to security violations for propriety.
Responses could include termination of processing,
forced shutdown of terminals, issuance of warning or error
messages, and writing of audit trail records.
The desired audit trail for security violation is selected
during implementation. Evaluate the effectiveness of
audit trails; such data may include user ID, resource
accessed, date, time, terminal location, and specific data
modified during the access.
Review access-control software to determine that the
following controls are in place:
1. Access to the system is restricted to authorized individuals.

bapp03.indd 395 1/31/2012 9:35:45 AM

 396 Appendix C

Questions Yes No N/A COMMENTS

2. Access to the processing functions of application software
is controlled in a manner that permits authorized users to
gain access only for purposes of performing their assigned
duties and precludes unauthorized persons from gaining
access.
3. Access rules or profiles are established in a way that
restricts departmental employees from performing
incompatible functions or functions beyond their
responsibility, and also enforces proper separation of
duties.
4. Procedures are enforced so that application programmers
are prohibited from making unauthorized program
changes.
5. User/application programmers are limited to the specific
types of data access (e.g., read, update) required to
perform their functional responsibilities.
6. Security profiles or tables are protected from unauthorized
access and modification. Access to these profiles or tables
is restricted to certain access paths.
7. Security tables or profiles are encrypted to restrict
unauthorized use.
8. Security profile-override capabilities are restricted.
9. Security data and resource access audit trails, including
audit trails of the use of the access-control software, are
protected from unauthorized modification.
10. M
 odifications or changes to the access-control software
itself are restricted to the appropriate personnel,
and those changes are made according to authorized
procedures.
Certain types of communications software can restrict access
to the telecommunication network and to specific applications
located on the network.
Controls limiting access to a network and to sensitive
resources are specified in the communications software
through an authorized exit routine or table. Access to this
exit or table is restricted to the appropriate individuals.
Access to sensitive data and resources in the network is
controlled by:
Verifying terminal identifications.
Verifying logons to applications.
Controlling connections between telecommunications
systems and terminals.
Restricting an applications use of network facilities.
Protecting sensitive data during transmission.

bapp03.indd 396 1/31/2012 9:35:45 AM

 Logical Access-Control Audit Program  397

Questions Yes No N/A COMMENTS

Automatically disconnecting at the end of a session.
Devices and applications sharing similar security
requirements are placed in an isolated network with
restricted operational and user access.
Network software is configured, through the use of optional
journals, to provide extensive network activity logs.
Tables used to define network options, resources, and
operator profiles are protected from unauthorized access
and modification.
Operator commands that can shut down network
components can be executed only by authorized users.
Dial-in access to the system is closely monitored and
protected.
In-house access to communications software is protected,
and control over changes to the software is in place.
Precautions are taken to ensure that data are not accessed
or modified by an unauthorized user during transmission or
while in temporary storage.
Access to telecommunications hardware or facilities that can
monitor transmissions is restricted.
Precautions are taken to ensure that data are not accessed
or modified by an unauthorized user during transmission or
while in temporary storage.
Application systems consist of data and programs specifically
written to perform a business function. Library-management
software can be used to store, maintain, and protect source
program libraries, job execution language libraries, and
in some instances data files and object program libraries.
Library management software packages differ in the type
of program libraries they can protect, the levels of security
they can provide, and the audit trails they can produce. The
libraries must be supported by adequate change control
and documentation procedures in order to provide a well-
controlled change environment.
The software system may not be effective unless supported
by detailed procedures, including formal authorization
to transfer programs; verification by user or Information
Systems (IS) management that all changes are authorized
and applied correctly; restricting performance of the
change-control procedures to a specific change-control
function; source programs copied to production libraries
and re-compiled; control over emergency changes;
emergency access granted for the purpose of resolving the
problems should be immediately revoked after the problem
is fixed; and all actions taken during the emergency should
be automatically logged.

bapp03.indd 397 1/31/2012 9:35:45 AM

 398 Appendix C

Questions Yes No N/A COMMENTS

Library-management system maintains an audit trail of all
activity against the libraries. One important control function
performed by the library-management software is the
maintenance of a program-change log. Information provided
includes the program name, version number, specific
changes made, maintenance data, and programmer ID.
The library-management software has a facility that
compares two source-code program versions and reports
any differences.
Access to programs or other items stored by the library-
management software is limited to certain access paths.
Access to passwords or authorization codes is restricted
to authorized individuals and passwords are changed on a
routine basis.
Access to library-management software is protected, and
controls over changes to the software are in place.
Precautions are taken to ensure that the library-access
definition tables are not modified by an unauthorized user.
Additional procedures are in place to ensure that the correct
versions of production programs reside in object program
libraries when these libraries are not protected by the
library-management software.
Database management system software (DBMS) is used to
control, organize, and manipulate data; provide multiple ways to
access data in a database; and manage integrated data that cross
operational, functional, and organizational boundaries within an
organization. Data dictionary (DD) software provides a method
for documenting elements of a database and may also provide a
method of securing data in a database management system. DD
software interfaces closely with the DBMS. The ability to add or
update the DD should be controlled to ensure the integrity of the
documentation. All updates to the DD should produce an audit
trail so that an automated record of all changes and a means of
recovery from disruptions can be maintained.
Determine that:
Access to data files is restricted at the logical data view,
field, or field-value level. Field-level security pertains to
the sensitive nature of the fields (salary). Field-value-level
security pertains to the contents of a field.
Access to the DD is controlled by using security profiles
and passwords within the DD software. The DD may use
the DBMS to store the information in a database format.
Therefore, the database must be secured using the various
access-control facilities built into the DBMS software.
Because the storage medium for the DD contents is a
database, the same audit-trail features that are in place for
application databases should also exist for the DD.

bapp03.indd 398 1/31/2012 9:35:45 AM

 Logical Access-Control Audit Program  399

Questions Yes No N/A COMMENTS

Inquiry and update capabilities from application program
functions, interfacing DBMS or DD facilities, and DBMS
utilities are limited to appropriate personnel. Security
functions implemented in the DBMS and DD may only be
effective when access to the database is made through the
DBMS or DD.
Access to DBMS software is protected and controls over
changes to the software are in place.
Procedures for maintaining security profiles in the DD
and security tables in the DBMS are adequate to prevent
unauthorized access to sensitive information.
There are two main types of utility software. The first type
is used in the system-development process to improve
productivity, such as program development aids and on-line
editors. The second type is used to assist in the management
of the operation of the computer system, such as performance
monitors, job schedulers, and disk-management systems.
Utility software may have privileged access capabilities at all
times, some of the time, or never. Privileged access allows
programs or users to perform functions that may bypass
normal security.
Determine that:
Access to specific utility files or functions is restricted.
Different utilities provide various types of protection. Some
utilities establish authorization levels for each protected file
or function and check each users authorization level before
allowing access. Other utilities use passwords to prevent
unauthorized access.
Utility software generates an audit trail of use and activity.
Some utilities provide detailed audit trails of activity against
protected datasets, libraries, and other resources. These
audit trails provide information such as user ID, date and
time of access, resource accessed, and the type of access.
These audit trails also serve as a record of events, including
security violations and unauthorized accesses.
Precautions are taken to ensure that library manipulation
utilities, such as delete and copy, are protected from
unauthorized use.
Precautions are taken to ensure that only authorized
personnel have access to applications running under the
control of the utility.
Precautions are taken to ensure that only authorized users
have access to utilities that can update production libraries
and library members. Certain utilities should not be
maintained in the production environment.
Audit trails produced by utilities are carefully reviewed to
identify possible security violations.

bapp03.indd 399 1/31/2012 9:35:45 AM

 400 Appendix C

Operating systems are a series of programs that manage

computer resources and serve as an interface between
application software and system hardware. These programs
manage and control the execution of application programs
and provide the services these programs require. Such services
may include job scheduling, disk and tape management, job
accounting, program compiling, testing, and debugging.
Determine that:
The use of exits is controlled. Operating-system software
may be customized by the use of exits to alter its processing.
Exits allow insertion of programs of code to perform
additional functions.
System programmers activities are closely monitored.
System programmers select, install, and maintain systems
software. They are highly skilled and have extraordinary
access to the most sensitive elements of the computer
system.
Operating systems use passwords and user IDs to prevent
unauthorized users from gaining access to operating-system
functions and utilities. Many times these passwords and IDs
are defined in a system table or dataset that is activated
when the system is generated.
Passwords and user IDs are kept confidential. Unauthorized
users who can gain access to the system can make
unauthorized modifications to systems resources.
Access to operating-system software is restricted and
controls over changes to the software are in place.
Systems and data-security administrators are carefully
selected and monitored. They have the authority to modify
system functions, including systems-generation procedures
and user profiles.
Access to operating-system utilities is restricted. Operating
systems provide many utilities that can be used to make
unauthorized modifications to systems services and
resources.
Systems generations and re-initializations are monitored
because unauthorized generation can result in invalid
systems processing.
The use of all optional systems-software products, such as
on-line editors and TP monitors, is restricted to appropriate
authorized individuals.
Audit trails are reviewed on a regular basis to determine if
any unauthorized access attempts or modifications were
made.

bapp03.indd 400 1/31/2012 9:35:46 AM